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Inspector General 

SUBJECT SUMMARY: Final Audit Report for Your Information - “General Control 
Environment of the Federal Financial System at the Reston 
General Purpose Computer Center, U.S. Geological Survey” 
(No. 97-I-98) 


Attached for your information is a copy of the subject final audit report. This report presents 
a summary of the draft audit report “Stronger Controls Needed Over The Data Processing 
Environment At The U.S. Geological Survey, Reston General Purpose Computer Center,” 
issued by the Office of Inspector General, U.S. House of Representatives, on September 3, 
1996. We were informed by the House’s Office of Inspector General that the information 
presented in this draft report is the same information that will be presented in their final audit 
report. The objective of the audit was to evaluate the effectiveness of the general control 
environment surrounding the Federal Financial System and the processing of financial data 
for the House. 


The House Office of Inspector General’s audit report identified 42 weaknesses and made 70 
recommendations for corrective actions to the U.S. Geological Survey and one 
recommendation for corrective action to both the Geological Survey and the House’s Chief 
Administrative Officer. The report identified weaknesses in data center management and 
operations; mainframe computer system physical and logical security; telecommunications 
security; protection of the local area network from unauthorized access and use; and 
contingency planning, including backup procedures for preventing data loss and for the 
recovery of data in case of a disaster. 


The Geological Survey and House management worked collaboratively with our office, the 
House’s Office of Inspector General, and the contracted auditing team that performed the 
review to resolve key issues. As a result of this collaborative effort, the Geological Survey 
was able to take immediate corrective actions to resolve the deficiencies that could have 
adversely impacted the integrity and security of the processing of the House’s financial data 
on the Federal Financial System. The Geological Survey concurred with or proposed 
alternative recommendations for each of the report’s recommendations. Based on the 
response, we considered 13 recommendations implemented and 58 recommendations 
resolved but not implemented. 


If you have any questions concerning this matter, please contact meat (202) 208-5745 or 
Mr. Robert J. Williams, Acting Assistant Inspector General for Audits, at (202) 208-4252. 
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AUDIT REPORT 


Memorandum 
To: Assistant Secretary - Water and Science 


From: Robert J. Williams 7S feed f. deca 
Acting Assistant Inspector General for Audits 


Subject: Audit Report on the General Control Environment of the Federal Financial 
System at the Reston General Purpose Computer Center, U.S. Geological 
Survey (No. 97-I-98) 


INTRODUCTION 


This report presents a synopsis of the draft audit report “Stronger Controls Needed Over The 
Data Processing Environment At The U.S. Geological Survey, Reston General Purpose 
Computer Center,” issued by the Office of Inspector General, U.S. House of 
Representatives, on September 3, 1996. The audit, which was coordinated through our 
office, was conducted by Price Waterhouse, LLP, under contract to the House’s Office of 
Inspector General. We are issuing this report because we are the cognizant audit agency for 
the U.S. Geological Survey and because we want to ensure that the recommendations 
contained in this report are included in our audit recommendation tracking system. The 
objective of the audit was to evaluate the effectiveness of the general control environment 
surrounding the Federal Financial System and the processing of financial data for the House. 


BACKGROUND 


The Washington Administrative Service Center was established in 1987, within the 
Geological Survey, to direct the Department of the Interior’s efforts to standardize 
administrative systems. As part of this effort, the Geological Survey purchased the Federal 
Financial System from American Management Systems, Inc., in 1987. The Service Center 
leases computer space from the Geological Survey’s General Purpose Computer Center to 
operate the Federal Financial System on the Computer Center’s mainframe computer. The 
system license purchased by the Geological Survey allows it to provide services to Federal 
agencies outside of the Department of the Interior. As such, the Geological Survey is able 
to provide the Federal Financial System as an interim financial management system to the 
U.S. House of Representatives. 


On August 3, 1995, the Committee on House Oversight, U.S. House of Representatives, 


passed a resolution mandating the implementation of a new financial management system 
for House financial operations. The resolution required that the Chief Administrative 
Officer, in consultation with the House’s Office of Inspector General, implement the system. 
In September 1995, the Chief Administrative Officer entered into an agreement with the 
Geological Survey to provide, on an interim basis, the Geological Survey’s Federal Financial 
System for the processing of the House’s financial data. The House’s Office of Inspector 
General determined that a review of the general control environment of the Federal Financial 
System was necessary to “ensure the integrity and security of the financial information to be 
processed on the system.” As a result, a contract was awarded to Price Waterhouse, LLP, 
in March 1996 to perform a review of the policies and general controls of operations of the 
Geological Survey’s Federal Financial System at the General Purpose Computer Center in 
Reston, Virginia. 


SCOPE OF AUDIT 


Direction for and oversight of the contracted audit were provided by the House’s Office of 
Inspector General, which coordinated with our office throughout the review. The contracted 
audit was made in accordance with the “Government Auditing Standards,” issued by the 
Comptroller General of the United States. Accordingly, the audit included such tests of 
records and other auditing procedures that were considered necessary under the 
circumstances. The audit was performed from March through May 1996 at the General 
Purpose Computer Center. 


The contracted audit included a review of the integrity, confidentiality, and availability of 
information resources for processing the House’s financial data. The evaluation focused on 
general controls, including the following: user authentication; prevention of the system and 
data from unauthorized access, modification, and destruction; contingency plans in case of 
system destruction; and the backup and recoverability of data, systems, and 
telecommunications in case operations are disrupted. To perform this review, the contractor 
performed the following tasks: 


- Documentation was obtained from and interviews were conducted with officials 
responsible for system operations. 


- Control techniques consistent with data security standards based on current industry 
standards and Government guidelines were identified. 


- An understanding of the computing and internal controls related to system data, 
including data integrity, security, and availability, was obtained. 


- Key management controls and internal controls were assessed and tested. 


- Third-party audit and security software tools were used to perform automated testing 
techniques. 


In addition, computer and information systems audit guidelines were used in evaluating the 
effectiveness of the Computer Center’s management and operations. 


As part of the review, the internal controls related to the integrity, confidentiality, and 
availability of the mainframe computer were evaluated. The contracted audit disclosed 
internal control weaknesses related to the operating system, system access, security program 
and functions, network controls, and business continuity planning. These weaknesses are 
discussed in the Results of Audit section of this report. The recommendations, if 
implemented, should improve controls in these areas. 


PRIOR AUDIT COVERAGE 


The General Accounting Office had not issued any reports relating to operations of the 
Computer Center or its Federal Financial System. Our office, however, has issued one report 
during the past 5 years relating to the Geological Survey’s Federal Financial System. 


The September 1992 report “Implementation of the Federal Financial System, U.S. 
Geological Survey” (No. 92-1-14 18) stated that the Federal Financial System had not been 
implemented effectively and did not meet the requirements contained in the Joint Financial 
Management Improvements Program’s “Core Financial System Requirements.” These 
conditions occurred, according to the report, because the Geological Survey did not comply 
with Office of Management and Budget and Departmental guidelines for establishing and 
maintaining an integrated financial management system. The report also identified 
inadequate physical security at the Reston Automated Data Processing Facility. The 
Geological Survey generally agreed with our 19 recommendations and initiated actions to 
correct the deficiencies identified. 


RESULTS OF AUDIT 


The House Office of Inspector General’s audit report identified 42 weaknesses and made 70 
recommendations for corrective actions to the Geological Survey and one recommendation 
for corrective action to both the Geological Survey and the House’s Chief Administrative 
Officer. The report stated that the Geological Survey’s General Purpose Computer Center 
had operational internal controls that were inadequate. Specifically, weaknesses existed in 
data center management and operations; mainframe computer system physical and logical 
security; telecommunications security; protection of the local area network from 
unauthorized access and use; and contingency planning, including backup procedures for 
preventing data loss and for the recovery of data in case of a disaster. The Office of 
Management and Budget and the National Institutes of Standards and Technology have 


issued numerous directives, policies, and guidelines requesting that Federal agencies 
establish and implement computer security and controls to improve the safeguarding of 
sensitive information in Federal agencies’ computer systems. However, the Computer 
Center did not fully comply with these criteria because it did not: establish certain formal 
data center policies, standards, and procedures; segregate duties adequately; comply with 
vendor guidelines for system operations; and develop a formal and comprehensive data 
security program. Consequently, the Computer Center was susceptible to: unauthorized 
system access and data modification; errors and omissions during system start up and 
processing; and unauthorized facility or system access, which could lead to theft or 
destruction of hardware, software, and information. 


The control deficiencies noted in each of the functional aspects are summarized in the 
following paragraphs. 


Computer Center Management and Operations 


The House’s September 3 report identified 8 weaknesses and made 17 recommendations 
regarding the Computer Center’s management and operations. The report stated that the 
Computer Center had weaknesses in its management and operations that “posed significant 
risks” to computer system availability, confidentiality, and reliability. These problems 
included the following: 


- Inconsistent and inadequate security background checks and clearances for Computer 
Center government and contractor employees. 


- Poor controls over access to key support systems, such as the Internet, DOINET, and 
local area networks. 


- Inadequate and inconsistently used software program change control procedures. 
- Inadequate problem-resolution procedures. 


- Lack of control over the labeling and distribution of sensitive computer-generated 
printouts. 


Mainframe Computer System Physical and Logical Security 


The House’s September 3 report identified 20 weaknesses and made 32 recommendations 
regarding the Computer Center’s physical and logical security of its mainframe systems. 
The report stated that the Computer Center did not comply with vendor guidelines and 
generally accepted industry practices in administering and implementing operating system 


and access security software controls on its mainframe computer. Some of these deficiencies 
included: 


- Improper controls over critical operating system components, such as system start-up 
parameters and options and the authorized program facility. 


- Unrestricted access to and use of powerful system programs, such as the Customer 
Information Control System transaction utility programs. 


- Inadequate controls over system programmer access to terminals capable of acting as 
the master console terminal. 


- Inadequate software change control procedures over modifications made to the 
Customer Information Control System environment. 


- Improper installation of and controls over security access control software. 
- Improper controls over programmers and separated/termninated employees. 
Telecommunications Security 


The House’s September 3 report identified one weakness and made two recommendations 
regarding the Computer Center’s telecommunications security. The report stated that 
unrestricted user access through the Internet posed integrity and security risks to internal 
systems such as the mainframe computer and certain local area networks. 


Local Area Network Protection 


The House’s September 3 report identified 10 weaknesses and made 17 recommendations 
regarding the Computer Center’s local area network protection. The report stated that the 
Geological Survey did not provide proper controls in administering and managing its local 
area networks, which are connected to the mainframe computer that processes Federal 
Financial System data. Problems related to the local area networks included the following: 


- Inconsistent management and administration practices between three local area network 
servers. 


- Improper controls over passwords on and general access to a particular local area 
network. 


- Inadequate controls over powerful access privileges (supervisor privileges) to the local 
area network. 


- Lack of procedures for monitoring local area network access and usage. 


- Incomplete and untested contingency, data backup, and data recovery in case of disaster 
plans to ensure the timely recovery and resumption of operations. 


- Inadequate physical security controls to safeguard key network computer hardware. 


- Inconsistent requirements for installing and using virus detection software on fileservers 
and workstations. 


Contingency Planning, Backup, and Disaster Recovery 


The House’s September 3 report identified three weaknesses and made three 
recommendations regarding the Computer Center’s contingency planning, backup, and 
disaster recovery procedures. The report stated that the Computer Center’s contingency 
planning, data backup, and disaster-recovery procedures for the Federal Financial System 
mainframe computer were inadequate and did not allow for complete business resumption. 


Corrective Actions 


The Geological Survey and House management worked collaboratively with our office, the 
House’s Office of Inspector General, and the contracted auditing firm to resolve key issues. 
As a result of this collaborative effort, the Geological Survey was able to take immediate 
corrective actions to resolve the deficiencies that could have adversely impacted the integrity 
and security of the processing of the House’s financial data on the Federal Financial System. 
Geological Survey management also initiated efforts to correct the other deficiencies 
identified, which were important to the overall integrity and security of data center 
operations. In its report, the House’s Office of Inspector General stated that it believed that 
the “actions taken and the continuing commitment demonstrated” by Geological Survey 
management “to resolve the deficiencies identified has greatly reduced the risk” to the 
Computer Center’s “processing environment.” 


U.S. Geological Survey Response and Office of Inspector General Reply 


The Director, U.S. Geological Survey, responded to the House’s draft report on August 20, 
1996. Based on this response, we considered 13 recommendations implemented and 58 
recommendations resolved but not implemented. The unimplemented recommendations will 
be referred to the Assistant Secretary for Policy, Management and Budget for tracking of 
implementation (see the Appendix). 


The legislation, as amended, creating the Office of Inspector General requires semiannual 
reporting to the Congress on all audit reports issued, actions taken to implement audit 


recommendations, and identification of each significant recommendation on which corrective 
action has not been taken. 


We appreciate the assistance of U.S. Geological Survey personnel in the conduct of this 
audit. 


APPENDIX 


STATUS OF AUDIT REPORT RECOMMENDATIONS' 


Finding/Recommendation 
Reference Status 


3E, 7B, 10A, 10B, 
13A, 15A, 15B, 18,22, 
23,25,41, and 42 


Implemented. 


1A, 1B, 2, 3A, 3B, 3C, 
3D, 4, 5A, 5B, 5C, 6A, 
6B, 8A, 8B, 9A, 9B, 9C, 
11A, 11B, 11C, 12, 
13B, 14A, 14B, 14C, 16 
17, 19, 20A, 20B, 20C, 21 
24A, 24B, 26,27,28, 
29A, 29B, 30A, 30B, 
31A, 31B, 32A, 32B, 
33A, 33B, 33C, 33D, 
34,35, 36A, 36B, 37,38 
39, and 40 


Resolved; not 
implemented. 


Action Required 


No further action is 
required. 


No further response to the 
Department of the Interior 
Office of Inspector General 
is required. The 
recommendations will be 
referred to the Assistant 
Secretary for Policy, 
Management and Budget 
for tracking of 
implementation. 


From audit report “Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological 
Survey, Reston General Purpose Computer Center,” dated September 3, 1996. 
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ILLEGAL OR WASTEFUL ACTIVITIES 
SHOULD BE REPORTED TO 
THE OFFICE OF INSPECTOR GENERAL BY: 


Sending written documents to: Calling: 


Within the Continental United States 


U.S. Departmnent of the Interior Our 24-hour 

Office of Inspector General Telephone HOTLINE 
1550 Wilson Boulevard 1-800-424-5081 or 
Suite 402 (703) 235-9399 


Arlington. Virginia22210 


TDD for hearing impaired 
(703) 235-9403 or 
1-800-354-0996 


Outside the Continental United States 


Caribbean Region 


U.S. Department of the Interior (703) 235-9221 
Office of Inspector General 

Eastern Division - Investigations 

1550 Wilson Boulevard 

Suite 410 

Arlington, Virginia 22209 


North Pacific Region 


U.S. Department of the Interior (700) 550-7279 or 

Office of Inspector General COMM 9-011-671-472-7279 
North Pacific Region 

238 Archbishop F.C. Flores Street 

Suite 807, PDN Building 

Agana, Guam 96910 





PPCAAAGCAAAAAAAAAAACARAARAAAAARGRARAAAAAAAAAAGAAGAADA 


Toll Free Numbers: 
1-800-424-5081 
TDD 1-800-354-0996 


FTS/Commercial Numbers: 
(703) 235-9399 
TDD (703) 235-9403 


HOTLINE 


1550 Wilson Boulevard 
Suite 402 
Arlington, Virginia 22210 





